GreyEnergy

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps between GreyEnergy and another malware known as Kapeka, suggesting that they might be related. Similarly, conceptual similarities were found between GreyEnergy and its probable predecessor, BlackEnergy, which was also associated with Sandworm's cyber-attacks. The research suggests that Kapeka could be a successor to GreyEnergy, following a pattern of malware evolution within Sandworm's arsenal. Both GreyEnergy and Kapeka consist of a dropper component with an embedded main backdoor, allowing unauthorized access to infected systems. This speculation is further supported by the discovery of overlaps between Kapeka and the Prestige ransomware attacks, attributed to Sandworm, which targeted Ukraine in 2022. In conclusion, there is strong evidence pointing towards a connection between Kapeka, GreyEnergy, and the Sandworm APT group. While the two malware samples do not share the same source code, their conceptual overlaps and shared usage patterns suggest a lineage of development. This finding underscores the evolving threat posed by Sandworm and the importance of continued vigilance and research in cybersecurity.
What's your take? (Question 1 of 5)
77a11317-4e7b-4f3a-a762-c683c2e3c4af Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sandworm
4
Sandworm is a threat actor, often linked to Russia, known for its high-profile cyber attacks. The group gained notoriety for compromising 11 Ukrainian telecommunications providers and infiltrating Ukraine's telecom giant Kyivstar for months. In addition, Sandworm was responsible for disrupting power
BlackEnergy
4
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ukraine
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Kapekais related to
3
Kapeka is a previously unknown backdoor malware linked to the Russian Advanced Persistent Threat (APT) group known as Sandworm. Discovered in 2022, Kapeka has been used in attacks against Eastern Europe, particularly targeting water supply facilities. The malware operates as a Windows DLL with a sin
PrestigeUnspecified
2
Prestige is a type of malware attributed to the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. This malicious software was used in ransomware attacks against Ukrainian and Polish logistics companies in October 2022. The deployment of Prestige coincided with reported instances of ran
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the GreyEnergy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a month ago
Dangerous New ICS Malware Targets Orgs in Russia and Ukraine
ESET
a year ago
RansomBoggs: New ransomware targeting Ukraine | WeLiveSecurity
BankInfoSecurity
a month ago
Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'
Securityaffairs
a month ago
Previously unknown Kapeka backdoor linked to Sandworm APT